CVE-2024-53195: Resolving KVM: arm64 Vulnerability in Linux Kernel

---
A recent vulnerability, identified as CVE-2024-53195, has been discovered in the Linux kernel, affecting the use of userspace_irqchip_in_use. This post aims to provide a detailed explanation of the issue, along with code snippets, original references, and information about the exploit.

Background

---
The Linux kernel's KVM (Kernel-based Virtual Machine) module provides the ability to run multiple virtual machines with isolated hardware and resources. In the arm64 architecture, there has been an issue with the improper use of userspace_irqchip_in_use, leading to a potential vulnerability.

Description of the Issue

---
The vulnerability CVE-2024-53195 is caused due to improper implementation of userspace_irqchip_in_use, which led to syzbot hitting the following WARN_ON() in kvm_timer_update_irq():

WARNING: CPU:  PID: 3281 at arch/arm64/kvm/arch_timer.c:459
kvm_timer_update_irq+x21c/x394
Call trace:
kvm_timer_update_irq+x21c/x394 arch/arm64/kvm/arch_timer.c:459
kvm_timer_vcpu_reset+x158/x684 arch/arm64/kvm/arch_timer.c:968
kvm_reset_vcpu+x3b4/x560 arch/arm64/kvm/reset.c:264
kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline]
kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline]
kvm_arch_vcpu_ioctl+x112c/x1b3c arch/arm64/kvm/arm.c:1695
kvm_vcpu_ioctl+x4ec/xf74 virt/kvm/kvm_main.c:4658
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__arm64_sys_ioctl+x108/x184 fs/ioctl.c:893
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+x78/x1b8 arch/arm64/kernel/syscall.c:49
el_svc_common+xe8/x1b arch/arm64/kernel/syscall.c:132
do_el_svc+x40/x50 arch/arm64/kernel/syscall.c:151
el_svc+x54/x14c arch/arm64/kernel/entry-common.c:712
elt_64_sync_handler+x84/xfc arch/arm64/kernel/entry-common.c:730
elt_64_sync+x190/x194 arch/arm64/kernel/entry.S:598

Fix

---
To resolve this vulnerability, the userspace_irqchip_in_use can be replaced with !irqchip_in_kernel(), and the static key can be removed to avoid mismanagement. Implementing this fix also helps with addressing the syzbot issue.

Original References

---
- Linux kernel source code: https://github.com/torvalds/linux
- KVM Documentation: https://www.kernel.org/doc/html/latest/virt/kvm/index.html
- Syzbot: https://syzkaller.appspot.com/

Exploit Details

---
The exploit of this vulnerability depends on a scenario where userspace creates a VM and initializes the vCPU improperly. Without setting up the vGIC or vPMU, the userspace attempts to issue KVM_RUN on the vCPU. Since the vPMU is requested but not set up, kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change() and results in KVM_RUN error. Userspace ignores the error and initializes the vCPU again, leading to hitting the WARN_ON().

Conclusion

---
The vulnerability CVE-2024-53195 highlights the need for proper implementation of the userspace_irqchip_in_use in the Linux kernel, and this fix addresses the issue by replacing it with !irqchip_in_kernel() and removing the static key. The result is an enhanced security posture for Linux-based systems using KVM on arm64 architecture.

Timeline

Published on: 12/27/2024 14:15:27 UTC
Last modified on: 01/20/2025 06:21:01 UTC